On July 17, 1995, the Computer Systems Laboratory (CSL) of the National Institute of Standards and Technology (NIST) and the Communications Security Establishment (CSE) of the Government of Canada announced the establishment of the Cryptographic Module Validation Program (CMVP). The Cryptographic Module Validation Program would validate commercial products for conformance to FIPS 140-1, Security Requirements for Cryptographic Modules. Products validated by this program will be accepted for use in both Canada and the United States for the protection of sensitive, unclassified information. Vendors of cryptographic products will be able to build to a common standard and utilize one common validation process. Their products will have a larger potential market. NIST and CSE encouraged their respective federal agencies to begin specifying FIPS 140-1 validated products in their procurements.
On May 25, 2001, FIPS 140-2, Security Requirements for Cryptographic Modules was signed. FIPS 140-2 incorporates changes in applicable standards and tehcnology since the development of FIPS 140-1 as well as changes that are based on comments received from the vendor, laboratory, and user community.
FIPS 140-1 and FIPS 140-2 are mandatory standards. With the passage of the Federal Information Security Management Act of 2002, there is no longer a statutory provision to allow for agencies to waive mandatory Federal Information Processing Standards. Details here.
The CMVP requires accredited, independent, third-party testing laboratories to test products for compliance to FIPS 140-1 and FIPS 140-2. The National Voluntary Laboratory Accreditation Program (NVLAP) has announced that nine Cryptographic Module Testing (CMT) Laboratories have been accredited to perform FIPS 140-1 and FIPS 140-2 testing.
Test results from these accredited laboratories are sent to NIST and CSE. NIST and CSE will examine the test results and issue appropriate, joint validation certificates.
FIPS 140-1 and FIPS 140-2 are the flagships of NIST cryptographic standards. It specifies the overall requirements for all cryptographic modules protecting sensitive, unclassified information, and provides a framework for all other NIST cryptographic standards. FIPS 140-1 and FIPS 140-2 was developed in cooperation with CSE, cryptographic product developers and integrators, and interested user communities.
The conformance tests used by the accredited laboratories are specified in Derived Test Requirements for FIPS 140-1 and FIPS 140-2.
FIPS 140-1, FIPS 140-2, the derived test requirements, the CMVP lilst of validated modules and algorithms, and the list of NVLAP accredited laboratories may be obtained electronically from: http://csrc.nist.gov/cryptval. For more information regarding the CMVP, contact Randall J. Easter (NIST) at 301-975-4641 or Jean Campbell (CSE) at 613-991-8121. For more information regarding NVLAP, contact Jeffrey Horlick at 301-975-4020.
Last Modified: 12/23/2004
Computer Security Division
National Institute of Standards and Technology